diffstat for xdg-dbus-proxy-0.1.4 xdg-dbus-proxy-0.1.4 debian/changelog | 16 ++ debian/gbp.conf | 2 debian/patches/Fix-GVariant-reference-leaks.patch | 78 ++++++++++ debian/patches/Improve-detection-of-eavesdrop-true.patch | 70 ++++++++ debian/patches/flatpak-proxy-Use-g_autoptr-in-validate_arg0_match.patch | 47 ++++++ debian/patches/series | 3 flatpak-proxy.c | 55 +++++-- 7 files changed, 257 insertions(+), 14 deletions(-) diff -Nru xdg-dbus-proxy-0.1.4/debian/changelog xdg-dbus-proxy-0.1.4/debian/changelog --- xdg-dbus-proxy-0.1.4/debian/changelog 2022-12-08 10:46:11.000000000 +0000 +++ xdg-dbus-proxy-0.1.4/debian/changelog 2026-04-15 20:27:48.000000000 +0100 @@ -1,3 +1,19 @@ +xdg-dbus-proxy (0.1.4-3+deb12u1) bookworm-security; urgency=high + + * d/gbp.conf: Configure for bookworm + * d/p/Fix-GVariant-reference-leaks.patch: + Add patch from upstream 0.1.6 fixing some memory leaks. + As well as being a desirable bug fix, this is necessary for the fix + for CVE-2026-34080 to apply cleanly. + * d/p/flatpak-proxy-Use-g_autoptr-in-validate_arg0_match.patch, + d/p/Improve-detection-of-eavesdrop-true.patch: + Fix detection of eavesdrop=true match rules, resolving a vulnerability + in which a malicious or compromised Flatpak app could monitor D-Bus + traffic that it was not intended to be able to access. + (CVE-2026-34080) (Closes: #1132939) + + -- Simon McVittie Wed, 15 Apr 2026 20:27:48 +0100 + xdg-dbus-proxy (0.1.4-3) unstable; urgency=medium * Depend on dbus-daemon for tests instead of dbus. diff -Nru xdg-dbus-proxy-0.1.4/debian/gbp.conf xdg-dbus-proxy-0.1.4/debian/gbp.conf --- xdg-dbus-proxy-0.1.4/debian/gbp.conf 2022-12-08 10:46:11.000000000 +0000 +++ xdg-dbus-proxy-0.1.4/debian/gbp.conf 2026-04-15 20:27:48.000000000 +0100 @@ -1,7 +1,7 @@ [DEFAULT] pristine-tar = True compression = xz -debian-branch = debian/latest +debian-branch = debian/bookworm upstream-branch = upstream/latest patch-numbers = False upstream-vcs-tag = %(version)s diff -Nru xdg-dbus-proxy-0.1.4/debian/patches/Fix-GVariant-reference-leaks.patch xdg-dbus-proxy-0.1.4/debian/patches/Fix-GVariant-reference-leaks.patch --- xdg-dbus-proxy-0.1.4/debian/patches/Fix-GVariant-reference-leaks.patch 1970-01-01 01:00:00.000000000 +0100 +++ xdg-dbus-proxy-0.1.4/debian/patches/Fix-GVariant-reference-leaks.patch 2026-04-15 20:27:48.000000000 +0100 @@ -0,0 +1,78 @@ +From: Simo Piiroinen +Date: Thu, 11 Mar 2021 07:18:40 +0200 +Subject: Fix GVariant reference leaks + +There is memory leakage that is proportional to amount of incoming +dbus traffic. Analyzing valgrind logs points towards GVariant +reference leaks from functions like validate_arg0_name(). + +Documentation for g_variant_get_child_value() states: "The returned +value is never floating. You should free it with g_variant_unref() +when you're done with it." Many functions omit such cleanup actions. + +Use g_autoptr(GVariant) type for variables that are used for storing +g_variant_get_child_value() return value - like how it is already done +in get_arg0_string(). + +Signed-off-by: Simo Piiroinen +Origin: upstream, 0.1.6, commit:855dfebcffc5bc217aa3e45e07234e1e7f3213e7 +--- + flatpak-proxy.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +diff --git a/flatpak-proxy.c b/flatpak-proxy.c +index 4878156..4d3ac25 100644 +--- a/flatpak-proxy.c ++++ b/flatpak-proxy.c +@@ -1821,7 +1821,8 @@ static gboolean + validate_arg0_match (FlatpakProxyClient *client, Buffer *buffer) + { + GDBusMessage *message = g_dbus_message_new_from_blob (buffer->data, buffer->size, 0, NULL); +- GVariant *body, *arg0; ++ GVariant *body; ++ g_autoptr(GVariant) arg0 = NULL; + const char *match; + gboolean res = TRUE; + +@@ -1843,7 +1844,8 @@ static gboolean + validate_arg0_name (FlatpakProxyClient *client, Buffer *buffer, FlatpakPolicy required_policy, FlatpakPolicy *has_policy) + { + GDBusMessage *message = g_dbus_message_new_from_blob (buffer->data, buffer->size, 0, NULL); +- GVariant *body, *arg0; ++ GVariant *body; ++ g_autoptr(GVariant) arg0 = NULL; + const char *name; + FlatpakPolicy name_policy; + gboolean res = FALSE; +@@ -1876,7 +1878,8 @@ static Buffer * + filter_names_list (FlatpakProxyClient *client, Buffer *buffer) + { + GDBusMessage *message = g_dbus_message_new_from_blob (buffer->data, buffer->size, 0, NULL); +- GVariant *body, *arg0, *new_names; ++ GVariant *body, *new_names; ++ g_autoptr(GVariant) arg0 = NULL; + const gchar **names; + int i; + GVariantBuilder builder; +@@ -1922,7 +1925,10 @@ static gboolean + should_filter_name_owner_changed (FlatpakProxyClient *client, Buffer *buffer) + { + GDBusMessage *message = g_dbus_message_new_from_blob (buffer->data, buffer->size, 0, NULL); +- GVariant *body, *arg0, *arg1, *arg2; ++ GVariant *body; ++ g_autoptr(GVariant) arg0 = NULL; ++ g_autoptr(GVariant) arg1 = NULL; ++ g_autoptr(GVariant) arg2 = NULL; + const gchar *name, *new; + gboolean filter = TRUE; + +@@ -2118,7 +2124,8 @@ static void + queue_wildcard_initial_name_ops (FlatpakProxyClient *client, Header *header, Buffer *buffer) + { + GDBusMessage *decoded_message = g_dbus_message_new_from_blob (buffer->data, buffer->size, 0, NULL); +- GVariant *body, *arg0; ++ GVariant *body; ++ g_autoptr(GVariant) arg0 = NULL; + + if (decoded_message != NULL && + header->type == G_DBUS_MESSAGE_TYPE_METHOD_RETURN && diff -Nru xdg-dbus-proxy-0.1.4/debian/patches/flatpak-proxy-Use-g_autoptr-in-validate_arg0_match.patch xdg-dbus-proxy-0.1.4/debian/patches/flatpak-proxy-Use-g_autoptr-in-validate_arg0_match.patch --- xdg-dbus-proxy-0.1.4/debian/patches/flatpak-proxy-Use-g_autoptr-in-validate_arg0_match.patch 1970-01-01 01:00:00.000000000 +0100 +++ xdg-dbus-proxy-0.1.4/debian/patches/flatpak-proxy-Use-g_autoptr-in-validate_arg0_match.patch 2026-04-15 20:27:48.000000000 +0100 @@ -0,0 +1,47 @@ +From: Sebastian Wick +Date: Wed, 24 Apr 2024 15:53:28 +0200 +Subject: flatpak-proxy: Use g_autoptr in validate_arg0_match() + +Originally part of a larger commit "flatpak-proxy: Use more +g_autoptr/g_autofree" upstream. + +Signed-off-by: Sebastian Wick +[smcv: Separated from a larger commit, rewrote commit message] +Co-authored-by: Simon McVittie +Origin: backport, 0.1.6, commit:03bec4aee2ff1275b9303402da970dff7dbe7934 +--- + flatpak-proxy.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/flatpak-proxy.c b/flatpak-proxy.c +index 4d3ac25..d541717 100644 +--- a/flatpak-proxy.c ++++ b/flatpak-proxy.c +@@ -1820,11 +1820,11 @@ get_arg0_string (Buffer *buffer) + static gboolean + validate_arg0_match (FlatpakProxyClient *client, Buffer *buffer) + { +- GDBusMessage *message = g_dbus_message_new_from_blob (buffer->data, buffer->size, 0, NULL); ++ g_autoptr(GDBusMessage) message = ++ g_dbus_message_new_from_blob (buffer->data, buffer->size, 0, NULL); + GVariant *body; + g_autoptr(GVariant) arg0 = NULL; + const char *match; +- gboolean res = TRUE; + + if (message != NULL && + (body = g_dbus_message_get_body (message)) != NULL && +@@ -1833,11 +1833,10 @@ validate_arg0_match (FlatpakProxyClient *client, Buffer *buffer) + { + match = g_variant_get_string (arg0, NULL); + if (strstr (match, "eavesdrop=") != NULL) +- res = FALSE; ++ return FALSE; + } + +- g_object_unref (message); +- return res; ++ return TRUE; + } + + static gboolean diff -Nru xdg-dbus-proxy-0.1.4/debian/patches/Improve-detection-of-eavesdrop-true.patch xdg-dbus-proxy-0.1.4/debian/patches/Improve-detection-of-eavesdrop-true.patch --- xdg-dbus-proxy-0.1.4/debian/patches/Improve-detection-of-eavesdrop-true.patch 1970-01-01 01:00:00.000000000 +0100 +++ xdg-dbus-proxy-0.1.4/debian/patches/Improve-detection-of-eavesdrop-true.patch 2026-04-15 20:27:48.000000000 +0100 @@ -0,0 +1,70 @@ +From: Sebastian Wick +Date: Wed, 25 Feb 2026 04:33:50 +0100 +Subject: Improve detection of eavesdrop=true + +While in bus-broker, the eavesdrop match must follow the form of +`eavesdrop=[true|false]`, dbus-broker is more forgiving in its parsing +and also accepts `eavesdrop =[true|false]` and other whitespace (\t\r\n) +between `eavesdrop` and `=`. Let's make sure we also find those cases. + +Origin: upstream, 0.1.7, commit:4d0d1d74d4f40260a79161163b4b2f7276bce0b0 +Bug: https://github.com/flatpak/xdg-dbus-proxy/security/advisories/GHSA-vjp5-hjfm-7677 +Bug-CVE: CVE-2026-34080 +Bug-Debian: https://bugs.debian.org/1132939 +--- + flatpak-proxy.c | 29 ++++++++++++++++++++++++++--- + 1 file changed, 26 insertions(+), 3 deletions(-) + +diff --git a/flatpak-proxy.c b/flatpak-proxy.c +index d541717..231c5a4 100644 +--- a/flatpak-proxy.c ++++ b/flatpak-proxy.c +@@ -1817,6 +1817,31 @@ get_arg0_string (Buffer *buffer) + return name; + } + ++/* Matches against any "eavesdrop=", "eavesdrop =", etc. in str */ ++static gboolean ++is_eavesdrop (const char *str) ++{ ++ const char *e = str; ++ ++ while (TRUE) ++ { ++ e = strstr (e, "eavesdrop"); ++ if (e == NULL) ++ return FALSE; ++ ++ e += strlen ("eavesdrop"); ++ ++ while (*e == ' '|| ++ *e == '\t' || ++ *e == '\n' || ++ *e == '\r') ++ e++; ++ ++ if (e[0] == '=') ++ return TRUE; ++ } ++} ++ + static gboolean + validate_arg0_match (FlatpakProxyClient *client, Buffer *buffer) + { +@@ -1824,15 +1849,13 @@ validate_arg0_match (FlatpakProxyClient *client, Buffer *buffer) + g_dbus_message_new_from_blob (buffer->data, buffer->size, 0, NULL); + GVariant *body; + g_autoptr(GVariant) arg0 = NULL; +- const char *match; + + if (message != NULL && + (body = g_dbus_message_get_body (message)) != NULL && + (arg0 = g_variant_get_child_value (body, 0)) != NULL && + g_variant_is_of_type (arg0, G_VARIANT_TYPE_STRING)) + { +- match = g_variant_get_string (arg0, NULL); +- if (strstr (match, "eavesdrop=") != NULL) ++ if (is_eavesdrop (g_variant_get_string (arg0, NULL))) + return FALSE; + } + diff -Nru xdg-dbus-proxy-0.1.4/debian/patches/series xdg-dbus-proxy-0.1.4/debian/patches/series --- xdg-dbus-proxy-0.1.4/debian/patches/series 2022-12-08 10:46:11.000000000 +0000 +++ xdg-dbus-proxy-0.1.4/debian/patches/series 2026-04-15 20:27:48.000000000 +0100 @@ -1 +1,4 @@ meson-Optionally-install-tests-for-as-installed-testing.patch +Fix-GVariant-reference-leaks.patch +flatpak-proxy-Use-g_autoptr-in-validate_arg0_match.patch +Improve-detection-of-eavesdrop-true.patch diff -Nru xdg-dbus-proxy-0.1.4/flatpak-proxy.c xdg-dbus-proxy-0.1.4/flatpak-proxy.c --- xdg-dbus-proxy-0.1.4/flatpak-proxy.c 2022-04-23 17:50:29.000000000 +0100 +++ xdg-dbus-proxy-0.1.4/flatpak-proxy.c 2026-04-15 21:31:59.000000000 +0100 @@ -1817,33 +1817,57 @@ return name; } +/* Matches against any "eavesdrop=", "eavesdrop =", etc. in str */ +static gboolean +is_eavesdrop (const char *str) +{ + const char *e = str; + + while (TRUE) + { + e = strstr (e, "eavesdrop"); + if (e == NULL) + return FALSE; + + e += strlen ("eavesdrop"); + + while (*e == ' '|| + *e == '\t' || + *e == '\n' || + *e == '\r') + e++; + + if (e[0] == '=') + return TRUE; + } +} + static gboolean validate_arg0_match (FlatpakProxyClient *client, Buffer *buffer) { - GDBusMessage *message = g_dbus_message_new_from_blob (buffer->data, buffer->size, 0, NULL); - GVariant *body, *arg0; - const char *match; - gboolean res = TRUE; + g_autoptr(GDBusMessage) message = + g_dbus_message_new_from_blob (buffer->data, buffer->size, 0, NULL); + GVariant *body; + g_autoptr(GVariant) arg0 = NULL; if (message != NULL && (body = g_dbus_message_get_body (message)) != NULL && (arg0 = g_variant_get_child_value (body, 0)) != NULL && g_variant_is_of_type (arg0, G_VARIANT_TYPE_STRING)) { - match = g_variant_get_string (arg0, NULL); - if (strstr (match, "eavesdrop=") != NULL) - res = FALSE; + if (is_eavesdrop (g_variant_get_string (arg0, NULL))) + return FALSE; } - g_object_unref (message); - return res; + return TRUE; } static gboolean validate_arg0_name (FlatpakProxyClient *client, Buffer *buffer, FlatpakPolicy required_policy, FlatpakPolicy *has_policy) { GDBusMessage *message = g_dbus_message_new_from_blob (buffer->data, buffer->size, 0, NULL); - GVariant *body, *arg0; + GVariant *body; + g_autoptr(GVariant) arg0 = NULL; const char *name; FlatpakPolicy name_policy; gboolean res = FALSE; @@ -1876,7 +1900,8 @@ filter_names_list (FlatpakProxyClient *client, Buffer *buffer) { GDBusMessage *message = g_dbus_message_new_from_blob (buffer->data, buffer->size, 0, NULL); - GVariant *body, *arg0, *new_names; + GVariant *body, *new_names; + g_autoptr(GVariant) arg0 = NULL; const gchar **names; int i; GVariantBuilder builder; @@ -1922,7 +1947,10 @@ should_filter_name_owner_changed (FlatpakProxyClient *client, Buffer *buffer) { GDBusMessage *message = g_dbus_message_new_from_blob (buffer->data, buffer->size, 0, NULL); - GVariant *body, *arg0, *arg1, *arg2; + GVariant *body; + g_autoptr(GVariant) arg0 = NULL; + g_autoptr(GVariant) arg1 = NULL; + g_autoptr(GVariant) arg2 = NULL; const gchar *name, *new; gboolean filter = TRUE; @@ -2118,7 +2146,8 @@ queue_wildcard_initial_name_ops (FlatpakProxyClient *client, Header *header, Buffer *buffer) { GDBusMessage *decoded_message = g_dbus_message_new_from_blob (buffer->data, buffer->size, 0, NULL); - GVariant *body, *arg0; + GVariant *body; + g_autoptr(GVariant) arg0 = NULL; if (decoded_message != NULL && header->type == G_DBUS_MESSAGE_TYPE_METHOD_RETURN &&